Cisco Cisco Email Security Appliance C160 Mode D'Emploi

The 

signed

 rule checks messages for a signature. The rule returns a boolean value to indicate if the 

message is signed or not. This rule evaluates whether the signature is encoded according to ASN.1 DER 
encoding rules and that it conforms to the CMS SignedData Type structure (RFC 3852, Section 5.1.). It 
does not aim to validate whether the signature matches the content, nor does it check the validity of the 
certificate.

The following example shows a 

signed

 rule used to insert headers into a signed message:

The following example shows a 

signed

 rule used to drop attachments from unsigned messages from a 

certain sender group:

The 

signed-certificate

 rule selects those S/MIME messages where the X.509 certificate issuer or 

message signer matches the given regular expression. This rule only supports X.509 certificates.

The rule’s syntax is 

signed-certificate

 

(<field> [<operator> <regular expression>])

, where:

<field>

 is either the quoted string 

“issuer”

 or 

“signer”

,

<operator>

 is either 

==

 or 

!=

,

and 

<regular expression>

 is the value for matching the “issuer” or “signer.”

If the message is signed using multiple signatures, the rule returns true if any of the issuers or signers 
match the regular expression. The short form of this rule, 

signed-certificate(“issuer”)

 and 

signed-certificate(“signer”)

, returns true if the S/MIME message contains an issuer or signer.

        quarantine("forged");

    }

}

signedcheck: if signed { insert-header("X-Signed", "True"); }

Signed: if ((sendergroup == "NOTTRUSTED") AND NOT signed) {

 html-convert();

    if (attachment_size > 0)

    {

        drop_attachments("");

    }

}